eFront LMS - RCE (All versions)

11:48 AM

TL,DR; Its been a while last I published a post. so this is going to be a short post about an interesting-ish RCE found in all versions of eFront LMS - reported over 120 days ago but eFront cutting the open-source version as a response instead of a patch, I am forced to notify people of this vulnerability. I will update this post if a patch for this bug is out.

In /efront/libraries/globals.php:

The following handleSEO() function is the one causing the code execution. it looks like the following:

function handleSEO() {

if (!$GLOBALS['configuration']['seo'] && $_SERVER['PATH_INFO']) {

$parts = explode("/", trim($_SERVER['PATH_INFO'], "/"));

for ($i = 0; $i < sizeof($parts); $i+=2) {

eval('$'.$parts[$i].' = "'.$parts[$i+1].'";');

}

//unset($parts);unset($i);

foreach (get_defined_vars() as $key => $value) {

$_GET[$key] = $value;

}

}

}

Because of their assumption that $_SERVER['PATH_INFO'] isn't user controllable, they sent it straight to eval(), causing the code execution.

And Boom! We got our code executed!

Share This Story

You Might Also Like

1 comments

Instruction is an imperative aspect of a man's being that ought to be given genuine consideration. Understudies of government funded schools in the United States are precluded from claiming quality instruction as a result of wild school savagery. A for more information visit lms meaning.

About Paulos

I am currently specializing in application security and client side offensive exploit research. I really enjoy breaking things. I occasionally do bug bounties, with notable references such as Coinbase, Facebook,Twitter& more.